“It would have been a perfect somersault at the summer Games” you think to yourself as you lay there, counting the stars swirling around in your head. You didn’t see that crack in the pavement that stopped your front tire. It was such a nice day for a bike ride. Now this . . . Ouch! You run your fingers carefully over your that pain in your ribs, feeling a slight protrusion. “Probably broken,” you think. You reach in your pocket and find your cellphone. You dial 911. Within minutes, rescue comes.
- There Is No Cyber-911
Rescue scenarios like the one above play out all over the United States every day. Whether a small accident or a large-scale disaster, when you call, help comes.
But in the case of cyber-incidents, rescue may not come. If you suffer a cyber-attack by a sophisticated cyber-adversary, you risk losing all your data, or worse, having your data stolen for nefarious purposes like ruining your company’s reputation. You and in some cases your CIO/CISO, are all alone to face the consequences.
- Your Turn is Coming – Network Defenders Are at a Disadvantage
Suffice it to say, your tools as a net defender are often limited. I have written in earlier posts about the “New Cold War.” In spite of your protective technologies, your employees are still your weakest link. All it takes is one of your employees to click an email they think is real and it opens a door right into your network. Spying has been taken to a new level, because the grooming and social engineering of people within your organization is done remotely, often outside the jurisdiction of our law enforcement agencies.
What’s worse is that a criminal or a spy may very well be in your network right now and you don’t even know it. In the information security community, this has become a given state and is called “assumption of breach.”
- Its More Than Money – Cyber is Leverage
Compared to cyber-crime, a bank robbery is straight-forward. All the robbers want is your money and they go away, hopefully without harming anyone. But, in the cyber world, the bounty is much more nuanced and its power can be leveraged to reach tragic proportions.
The information in your network can be leveraged to affect your organization’s reputation, control your user’s access to critical intellectual capital, steal your organization’s money, data or intellectual capital, or threaten the life-safety of people depending on your system. Below are recent headlines showing how information has been leveraged by cyber adversaries.
FAA Computer Failure Disrupts Travel – CNN (Life Safety)
- Risk Tolerance Works Against You
When the first cave-dwellers witnessed the storm raging outside, they probably shrugged their shoulders, “Eh, what are we going to do?” For some reason, we humans can easily ignore risks.
Risks, especially ones we don’t understand, are easily rationalized by saying “We’ll deal with it when it comes.”
When presented with risks to the company, the boss doesn’t want to hear about the budget you need to fend off cyber-adversaries. They would rather preserve that budget for headaches they understand, that won’t affect financial bonuses and where there is an easy-to-see benefit.
- You Need an Effective Cyber-Strategy
An effective cyber-strategy is broken into three basic steps. ASSESS your current state, review and TEST your response plans and CLOSE THE GAPS you identify.
Assess your current state by looking at all natural and man-made hazards that could affect your facility. Your policies should address the priority of your company’s data dependencies, in terms of recovery point and recovery time objectives.
When something occurs, you will also need an effective cyber response plan. The plan should cover service interruptions, countering network penetrations and recovery procedures. Take a look at your counter-penetration efforts directed at users, such as information assurance training. There are several penetration testing methods that can help you determine the sophistication of your users and their ability to resist phishing attempts.
Above all else, TEST your plans! As Murphy once said, “No plan survives first contact.” Network disasters are extremely complex and you need to develop the skills to flex your response. A good way to develop those skills are by using Sand Table – Tactical Resilience Games and exercises to play, work with response partners and test out possible solutions.
Finally, CLOSE THE GAPS that you identify in your response plan. Document these gaps you found when you tested your plan. Highlight consequences in terms of costs and propose solutions in terms of costs. When you present the issues this way to management, they will have an idea of what is at stake and what it will cost to fix it. Costs for potential legal claims, recovery of lost or stolen data, restoration of network hardware and software and lost user productivity are good places to start looking for the costs of a cyber-disaster.
Latest posts by James Rollins (see all)
- Worried About a Cyber Incident? Here’s How to Prepare - October 8, 2017
- Training Pipelines: 7 Ways to get your training investment to stick - February 12, 2017
- Dialing 911: 5 Things You Should Know About Cyber Attacks - January 19, 2017